Hitachi Vantara Pentaho Community Wiki
Child pages
  • A6 Sensitive Data Exposure

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1.  Introduction
    1. Architectural Decision
  2. Transport Layer Protection Cheat Sheet Providing Transport Layer Protection with SSL/TLS
    1. Benefits
    2. Basic Requirements
    3. SSL vs. TLS
    4. When to Use a FIPS 140-2 Validated Cryptomodule
    5. Secure Server Design
      1. 2.5.1 Rule - Use TLS for All Login Pages and All Authenticated Pages
      2. Use TLS on Any Networks (External and Internal) Transmitting Sensitive Data
      3. Do Not Provide Non-TLS Pages for Secure Content
      4. Do Not Mix TLS and Non-TLS Content
      5. Use "Secure" Cookie Flag
      6. Keep Sensitive Data Out of the URL
      7. Prevent Caching of Sensitive Data
      8. Use HTTP Strict Transport Security
      9. Use Public Key Pinning
    6. Server Certificate
      1. Use Strong Keys & Protect Them
      2. Use a Certificate That Supports Required Domain Names
      3. Use Fully Qualified Names in Certificates
      4. Do Not Use Wildcard Certificates
      5. Do Not Use RFC 1918 Addresses in Certificates
      6. Use an Appropriate Certification Authority for the Application's User Base
      7. Always Provide All Needed Certificates
      8.  Be aware of and have a plan for the SHA-1 deprecation plan
    7. Server Protocol and Cipher Configuration
      1. Only Support Strong Protocols
      2. Prefer Ephemeral Key Exchanges
      3. Only Support Strong Cryptographic Ciphers
      4. Support TLS-PSK and TLS-SRP for Mutual Authentication
      5. Only Support Secure Renegotiations
      6. Disable Compression
    8. Test your overall TLS/SSL setup and your Certificate
    9. Client (Browser) Configuration
    10. Additional Controls
      1. Extended Validation Certificates
      2. Client-Side Certificates
      3. Certificate and Public Key Pinning
      4. Secure Internal Network Fallacy
  3. Providing Transport Layer Protection for Back End and Other Connections
    1. Transport Layer Protection Cheat Sheet
    2. Protocol and Cipher Configuration for Back End and Other Connections
  4. Tools